Modify FreeIPA Password Policy – Part 8


There are three main configuration areas that are defined within the password policy:
1. Strength or complexity requirements
2. History
3. Account lockout

Step 1: View the default global password policy

[root@mgmtsrv ~]# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600

Step 2: View user password policy

[root@mgmtsrv ~]# ipa pwpolicy-show --user=john
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600

Step 3: Modify the global password policy

[root@mgmtsrv ~]# ipa pwpolicy-mod --minlife=7 --maxlife=90 --history=3
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 7
History size: 3
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600

Verify the new password policy change by using below command.

[root@mgmtsrv ~]# ipa pwpolicy-show --user=john
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 7
History size: 3
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600

If an administrator resets a password, it expires the previous password and forces the user to update the password. When the user updates the password, it automatically uses the new password policies, including a new expiration date.

Now we will try to change the user password and check the expiration date.

[root@mgmtsrv ~]# ipa user-mod john --password
Password:
Enter Password again to verify:
--------------------
Modified user "john"
--------------------
User login: john
First name: John
Last name: Daniel
Home directory: /home/john
Login shell: /bin/bash
Email address: john@lab.local
UID: 5001
GID: 5001
Account disabled: False
Password: True
Member of groups: ipausers, sysprod-admin
Member of HBAC rule: prod-sshd
Indirect Member of Sudo rule: linux-dev
Kerberos keys available: True

Check the user password expiration date

[root@mgmtsrv ~]# ipa user-show john --all | grep krbpasswordexpiration | awk '{print $2}' | cut -c 1-8
20171124

Above output shows the today’s date because the new password policy will not get effective until the user john change the password.

[root@mgmtsrv ~]# ssh john@ksclient.lab.local
The authenticity of host 'ksclient.lab.local ()' can't be established.
RSA key fingerprint is 25:f5:95:6e:d1:be:20:79:c4:40:9f:95:e5:29:ad:e2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ksclient.lab.local' (RSA) to the list of known hosts.
john@ksclient.lab.local's password:
Password expired. Change your password now.
Last login: Fri Nov 24 08:33:10 2017 from 10.10.10.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user john.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to ksclient.lab.local closed.

Below output shows the new password expiration date as per the new password policy.

[root@mgmtsrv ~]# ipa user-show john --all | grep krbpasswordexpiration | awk '{print $2}' | cut -c 1-8
20180222

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: